1. Definitions
Throughout this Privacy Policy:
- "Replia," "we," "us," "our" refers to Elevatech, the company operating the Replia platform.
- "Platform" refers to the Replia web application at replia.ph, its APIs, and associated services.
- "Bot Owner" refers to a registered user who creates and manages chatbots on the Platform.
- "End User" refers to a visitor who interacts with a chatbot embedded on a Bot Owner's website or through messaging platforms (Facebook Messenger, Instagram).
- "Widget" refers to the embeddable chat interface that Bot Owners install on their websites.
- "Training Data" refers to documents, web pages, and other content uploaded or linked by Bot Owners to train their chatbots.
2.1 Information from Bot Owners (Account Holders)
| Data Type | What We Collect | Purpose |
|---|
| Account Information | Name, email address, profile picture, organization name | Account creation and management via WorkOS AuthKit |
| Authentication Data | Authentication ID, session tokens | Secure login and session management |
| Chatbot Configuration | Bot name, persona, instructions, model preferences, appearance settings (icon, color, welcome message) | Chatbot creation and customization |
| Training Data | Uploaded documents (PDF, DOCX, CSV, text files), website URLs, YouTube URLs, sitemaps | AI training and RAG (Retrieval-Augmented Generation) for chatbot responses |
| Custom Responses | Question-and-answer pairs, knowledge snippets | Customizing chatbot behavior and responses |
| Domain Configuration | Allowed domains and domain patterns | Widget embedding restrictions and security |
| Integration Credentials | Facebook Page access tokens, Page IDs, Instagram account IDs | Messenger and Instagram integration functionality |
| Team Information | Member email addresses, roles (admin/member), invitation tokens | Collaborative chatbot management |
2.2 Information from End Users (Chat Visitors)
| Data Type | What We Collect | Purpose |
|---|
| Chat Messages | Messages sent to and received from chatbots | Providing chatbot responses, conversation history |
| Conversation Metadata | Conversation timestamps, source channel (widget, Messenger, Instagram) | Conversation management and analytics |
| Lead Information | Name, email, phone number, message (voluntarily provided through lead capture forms or AI-assisted capture) | Lead generation for Bot Owners |
| Technical Data | IP address (for rate limiting only, not stored persistently), referring domain | Rate limiting, domain validation, abuse prevention |
| Platform Identifiers | Facebook Page-Scoped User ID (PSID), Instagram-Scoped User ID (IGSID), profile name, profile picture URL | Messenger/Instagram conversation management |
2.3 Information We Do NOT Collect
- We do not use cookies for tracking or advertising purposes on the Widget.
- We do not collect payment or financial information directly (payment processing is handled by third-party providers).
- We do not sell personal information to third parties.
- We do not use End User chat data to train our own AI models.
3. How We Use Your Information
3.1 For Bot Owners
- Provide, maintain, and improve the Replia platform
- Process uploaded Training Data to generate vector embeddings for AI-powered retrieval
- Enable chatbot creation, configuration, and deployment
- Facilitate team collaboration and access management
- Enable Messenger and Instagram integrations via Meta APIs
- Communicate service updates, security alerts, and account notifications
3.2 For End Users
- Deliver AI-generated chatbot responses using RAG (Retrieval-Augmented Generation)
- Maintain conversation history within a session
- Capture lead information when voluntarily submitted
- Enforce rate limits to prevent abuse (20 requests/minute per bot, 60 requests/minute per IP)
- Validate authorized domains for widget embedding
3.3 General Purposes
- Detect and prevent fraud, abuse, and security threats
- Comply with legal obligations
- Analyze usage patterns to improve the Platform (in aggregate, non-identifying form)
4. Legal Basis for Processing
We process personal information based on the following legal grounds:
- Contract Performance: Processing necessary to provide the Replia service to Bot Owners under our Terms of Service.
- Legitimate Interest: Processing End User messages to deliver chatbot functionality on behalf of Bot Owners; rate limiting and security measures.
- Consent: When End Users voluntarily provide lead information through chat or lead capture forms. When Bot Owners connect third-party integrations (Facebook/Instagram).
- Legal Obligation: Processing required to comply with applicable laws and regulations.
5. Third-Party Services & Data Processors
Replia uses the following third-party services to operate:
| Service | Purpose | Data Shared |
|---|
| Convex | Backend database, real-time sync, file storage | All platform data (stored and processed on Convex infrastructure) |
| WorkOS AuthKit | Authentication and user management | Email, name, profile picture, authentication events |
| OpenAI | AI chat responses (GPT-5, GPT-5 Mini) and text embeddings | Chat messages, Training Data text chunks, conversation context |
| Google AI (Gemini) | Alternative AI chat responses (Gemini 3) | Chat messages, conversation context (only when selected as bot model) |
| Google Cloud Vision | PDF document OCR processing | PDF documents uploaded for training (temporarily stored during processing) |
| Meta Platform | Messenger and Instagram DM integrations | Messages, user profile data, page access tokens |
Important: When End Users interact with a chatbot, their messages are sent to the AI provider (OpenAI or Google) selected by the Bot Owner to generate responses. These messages are processed in accordance with each provider's data processing terms and are not used to train the AI provider's models.
6. AI and Automated Processing
6.1 How AI Processes Your Data
Replia uses AI to provide chatbot responses through Retrieval-Augmented Generation (RAG):
- Document Ingestion: Training Data uploaded by Bot Owners is parsed, split into chunks, and converted into vector embeddings using OpenAI's embedding model.
- Retrieval: When an End User sends a message, the system searches for relevant content from the Bot Owner's training data using vector similarity search.
- Generation: The relevant content is combined with the conversation history and sent to the selected AI model to generate a response.
6.2 AI-Assisted Lead Capture
When enabled by the Bot Owner, the chatbot may use AI to identify opportunities to collect lead information during conversations. The chatbot will ask the End User for their name, email, or phone number when contextually appropriate. End Users are never required to provide this information.
6.3 Automated Decision-Making
- Rate Limiting: Automated systems limit chat requests to prevent abuse (20/minute per bot, 60/minute per IP). This is a technical security measure, not a profiling activity.
- Domain Validation: Automated checks verify that widget requests come from authorized domains.
7. Data Retention
| Data Type | Retention Period |
|---|
| Account data (Bot Owners) | Retained while account is active; deleted upon account deletion request |
| Chatbot configurations | Retained while the chatbot exists; deleted when bot is deleted (cascade deletion) |
| Training Data (documents, embeddings) | Retained while associated resource exists; deleted when resource is removed |
| Conversation history and messages | Retained while the chatbot exists; Bot Owners may delete individual conversations |
| Lead information | Retained until deleted by Bot Owner |
| PDF processing jobs | Temporary; cleaned up after processing completes or fails |
| IP addresses (rate limiting) | Not stored persistently; used only for in-memory rate limit calculations |
| Platform integration tokens | Retained while integration is active; deleted when disconnected |
When a Bot Owner deletes a chatbot, all associated data is cascade-deleted, including: conversations, messages, leads, resources, documents, embeddings, custom responses, knowledge snippets, appearance settings, allowed domains, and platform integrations.
8. Data Sharing & Disclosure
We do not sell, rent, or trade personal information. We share data only in these circumstances:
- With Bot Owners: End User chat messages, conversation data, and lead information are accessible to the Bot Owner who manages the chatbot.
- With Third-Party Processors: As described in Section 5, to operate the Platform's core functionality.
- Legal Compliance: When required by law, regulation, legal process, or enforceable governmental request.
- Safety and Security: To protect against harm to the rights, property, or safety of Elevatech, our users, or the public.
- Business Transfers: In connection with a merger, acquisition, or sale of assets, in which case users will be notified.
9. Data Security
We implement appropriate technical and organizational measures to protect personal data, including:
- Authentication: Secure authentication via WorkOS AuthKit with industry-standard session management.
- Authorization: Role-based access control (admin/member) ensuring users only access chatbots they are authorized to manage.
- Transport Security: All data transmitted over HTTPS/TLS encryption.
- Domain Restriction: Widget embedding can be restricted to authorized domains only.
- Rate Limiting: Protection against abuse and denial-of-service attacks.
- Input Validation: Message length limits (10,000 characters), email validation, and input sanitization.
- Webhook Security: Facebook/Instagram webhooks are validated using HMAC-SHA256 signature verification.
- Infrastructure: Data is hosted on Convex's managed infrastructure with their enterprise security measures.
While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
10. Your Rights
10.1 For Bot Owners
You have the right to:
- Access your personal data and chatbot data through the Platform dashboard
- Correct your account information at any time
- Delete your account and all associated data by contacting us
- Export your chatbot data upon request
- Disconnect third-party integrations at any time through the Platform
- Remove training data, conversations, leads, and custom responses through the Platform
10.2 For End Users
You have the right to:
- Know that your chat interactions are processed by AI and visible to the Bot Owner
- Decline to provide lead information when prompted by the chatbot
- Request deletion of your conversation data by contacting the Bot Owner or us directly
- Stop interacting with the chatbot at any time
10.3 Philippine Data Privacy Act (RA 10173)
For users in the Philippines, you are entitled to the following rights under the Data Privacy Act of 2012:
- Right to be Informed — You have the right to be informed of the collection and processing of your data.
- Right to Access — You may request access to your personal data held by Replia.
- Right to Object — You may object to the processing of your personal data.
- Right to Erasure or Blocking — You may request the removal or blocking of your personal data.
- Right to Rectification — You may request correction of inaccurate personal data.
- Right to Data Portability — You may request a copy of your data in a structured, commonly used format.
- Right to File a Complaint — You may file a complaint with the National Privacy Commission (NPC) at privacy.gov.ph.
10.4 Exercising Your Rights
To exercise any of these rights, contact us at the details provided in Section 15. We will respond to requests within 30 days.
11. Cookies & Tracking Technologies
11.1 Platform (replia.ph)
- Authentication cookies/tokens: Essential for maintaining your login session. Strictly necessary and cannot be disabled.
- Local storage: Used for application state management on the client side.
11.2 Embeddable Widget
- Local storage: To persist conversation history and lead information within the browser. This data stays in the End User's browser and is not used for tracking.
The Widget does not use cookies, third-party trackers, or analytics scripts.
12. Children's Privacy
Replia is not directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will take steps to delete such information promptly. If you believe a child has provided us with personal data, please contact us.
13. International Data Transfers
Replia's infrastructure and third-party processors may store and process data in locations outside the Philippines, including the United States (Convex, OpenAI, WorkOS, Google Cloud). By using the Platform or interacting with a Replia-powered chatbot, you acknowledge that your data may be transferred to and processed in these jurisdictions.
We ensure that any international data transfer is conducted with appropriate safeguards, including the use of processor agreements with our third-party service providers.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Notify registered Bot Owners via email for significant changes
- Post a notice on the Platform
Continued use of the Platform after changes take effect constitutes acceptance of the updated Privacy Policy.
Elevatech
Data Privacy Inquiries
Email: [email protected]
Website: replia.ph
For complaints regarding your personal data, you may also contact the National Privacy Commission (NPC) of the Philippines at privacy.gov.ph.